Projet

Général

Profil

BGP » Historique » Version 62

Version 61 (Laurent GUERBY, 08/09/2013 18:30) → Version 62/192 (Laurent GUERBY, 05/10/2013 19:03)

{{>toc}}

h1. BGP

Nous utilisons BIRD sous Linux comme routeur BGP

http://bird.network.cz/

blog bgp http://www.renesys.com/blog/
flowspec http://www.slideshare.net/sfouant/an-introduction-to-bgp-flow-spec
DFZ = Default Free Zone archive http://archive.routeviews.org/
http://www.ripe.net/data-tools/stats/ris/routing-information-service
http://pch.net/resources/data/routing-tables/archive/
http://pch.net/resources/data/routing-tables/mrt-bgp-updates/
http://www.nanog.org/meetings/archive/
http://tools.ietf.org/html/draft-lapukhov-bgp-routing-large-dc-02

http://inside.godaddy.com/inside-story-happened-godaddy-com-sept-10-2012/

http://tools.ietf.org/html/rfc4271#section-9.1 BGP route decision process

http://www.ipbcop.org/
IP Best Current Operational Practices Documented best practices for Engineers by Engineers

BGP best practices ANSSI
https://www.sstic.org/media/SSTIC2012/SSTIC-actes/influence_des_bonnes_pratiques_sur_les_incidents_b/SSTIC2012-Article-influence_des_bonnes_pratiques_sur_les_incidents_bgp-contat_valadon_nataf_2.pdf
http://www.ssi.gouv.fr/fr/bonnes-pratiques/recommandations-et-guides/securite-des-reseaux/le-guide-des-bonnes-pratiques-de-configuration-de-bgp.html


https://www.ams-ix.net/technical/specifications-descriptions/ams-ix-route-servers

these LAAS BGP http://www.laas.fr/1-31360-Detail-Soutenance-de-these.php?id=600
http://www.laas.fr/1-31706-Publications.php?author=7738
http://www.net.t-labs.tu-berlin.de/papers/OMUPMO-OOSICP-11.pdf
http://hal.archives-ouvertes.fr/docs/00/60/53/83/PDF/dVirt-virtual_platform.pdf
http://hal.archives-ouvertes.fr/docs/00/48/70/74/PDF/Poster_SIGCOMM2010_philippe.pdf

Le monde sur BGP http://reseaux.blog.lemonde.fr/2012/11/04/routage-enjeu-cyberstrategie/

coupure free wanadoo http://www.journaldunet.com/solutions/0301/030122_freeft.shtml

tsunami Japon 2011 et BGP : http://archive.psg.com/111206.conext-quake.pdf

Session is up on telnet:route-views.routeviews.org username rviews

BGP book http://www.bortzmeyer.org/files/bgp.html

Cyclops is able to detect several forms of route hijack attacks http://cyclops.cs.ucla.edu/
BGPmon monitors the routing of your prefixes and alerts you in case of an 'interesting' path chang http://www.bgpmon.net/

http://jointtransit.nl/prices.html

http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho

* taille table de routage http://bgp.potaroo.net/

* BGP in 2011 Geoff Huston APNIC http://iepg.org/2011-11-ietf82/2011-11-13-bgp2011.pdf

* http://pages.cs.wisc.edu/~plonka/netgear-sntp/

* http://www.afnic.fr/fr/l-afnic-en-bref/actualites/actualites-generales/7114/show/l-observatoire-sur-la-resilience-de-l-internet-francais-publie-son-rapport-2012.html

* http://www.ris.ripe.net/dashboard/2a01:6600:8000::/40

* http://www.bortzmeyer.org/6996.html
** RFC 6996 : Autonomous System (AS) Reservation for Private Use
** http://www.iana.org/assignments/as-numbers

* Look for TRACEROUTE by SRCGUARDIAN in the Play Store. It needs network access only... Doesn't do TCP but does ICMP and UDP traceroutes and displays ASN as well ...

h1. TouIX et GIX

http://touix.net
http://wikilulu.net/doku.php?id=articles:gix-howto

h1. Evolutions de la conf BGP

* http://lists.tetaneutral.net/pipermail/technique/2011-December/000118.html

TODO:
* mise en place d'un gestionaire de version style git au moins pour documentation
* Comment gerer les password MD5 du fichier de conf (les garder secrets tout en publiant le reste)
* Atelier ?
** Laurent GUERBY
** Solarus
** Ajouter son nom...

Alternative a MP BGP
http://tools.ietf.org/html/draft-ietf-idr-bgp-multisession-06

Add Path
http://tools.ietf.org/html/draft-ietf-idr-add-paths-07
support in bird ? http://marc.info/?l=bird-users&m=134409996129466&w=2

h1. Liens

* http://www.cl.cam.ac.uk/~tgg22/talks/BGP_TUTORIAL_ICNP_2002.ppt
* http://www.menog.net/menog-meetings/menog5/presentations/smith-32bit-asn-update.pdf
* AS4 http://www.rfc-editor.org/rfc/rfc4893.txt
* bonnes pratiques incidents BGP
** https://www.sstic.org/media/SSTIC2012/SSTIC-actes/influence_des_bonnes_pratiques_sur_les_incidents_b/SSTIC2012-Slides-influence_des_bonnes_pratiques_sur_les_incidents_bgp-contat_valadon_nataf.pdf
* test ping plus UDP http://www.broadband-forum.org/technical/download/TR-143.pdf

h1. Configuration Toulouse

<pre>
router id 91.224.148.2;
define myas = 197422;

protocol device {
scan time 10;
primary "eth0" 91.224.148.3;
}

protocol static static_bgp {
import all;
route 91.224.148.0/23 reject;
}

protocol kernel{
import all;
export all;
}

function avoid_martians()
prefix set martians;
{
martians = [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/16+, 10.0.0.0/8+, 224.0.0.0/4+, 240.0.0.0/4+ ];

# Avoid 0.0.0.0/X
if net.ip = 0.0.0.0 then return false;

# Avoid too short and too long prefixes
if (net.len < 8) || (net.len > 24) then return false;

# Avoid RFC1918 networks
if net ~ martians then return false;
return true;
}

filter bgp_OUT {
if (net ~ [91.224.148.0/23]) then accept;
else reject;
}

protocol bgp TOUIX {
local as myas;
neighbor 91.213.236.1 as 47184;
preference 200;
import where avoid_martians();
export filter bgp_OUT;
}

protocol bgp JAGUAR {
local as myas;
neighbor 31.172.233.1 as 30781;
preference 50;
import where avoid_martians();
export filter bgp_OUT;
}

protocol bgp TETANEUTRAL {
local as myas;
neighbor 91.224.148.2 as myas;
preference 100;
import where avoid_martians();
export all;
}
</pre>

h1. IRR

* From nanog:
http://www.clarksys.com/blog/2009/09/02/using-irr-with-level3/
whois -h filtergen.level3.net "RIPE::YOUR-AS-SET -searchpath=RIPE;ARIN;RADB -recurseok -warnonly"

h1. Blackholing

h2. Attaques

* 20120629 http://lists.tetaneutral.net/pipermail/technique/2012-July/000406.html
* http://blog.cloudflare.com/65gbps-ddos-no-problem

h2. URPF

blacklister une/plusieures sources est relativement complexe à mettre en place sur une petite infrastructure car nécessite la mise en place de l'URPF (Unicast Reverse Path Forwarding).

http://www.cisco.com/web/about/security/intelligence/ipv6_rtbh.html

h2. RFC3882

* http://www.ietf.org/rfc/rfc3882.txt
community AS:666 sur annonce /32 pour balckhole par AS upstream

* doc CISCO
http://www.cisco.com/web/about/security/intelligence/blackhole.pdf

h2. RFC1997

* http://www.ietf.org/rfc/rfc1997.txt
BGP Communities Attribute

* doc CISCO
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_6-2/bgp_communities.html

h2. BIRD

* http://www.mail-archive.com/bird-users@atrey.karlin.mff.cuni.cz/msg01998.html

h2. Absolight

* communauté 29608:65001 sur /24..32 IPv4 et /41..128 IPv6 => blackhole
* test 20120703 IPv4 et IPv6, ça marche et convergence très rapide

h2. GIXE

* communauté 31576:666 sur /32 => blackhole
* test 20120703 => marche pas encore, signalé et dev a faire coté GIXE pour autoriser les /32

h2. Jaguar

* https://extranet.jaguar-network.com/app/public/index.php?cmd=bgp-policy
* demande 20120702 : pas de communauté blackhole actuellement, en reflexion
* déploiement de matériel arbor networks, reglage a affiner (pas de detection d'attaque)

h2. Gitoyen

* demande 20120704 sur la liste, réponse 20120717
* Tata http://noc.easycolocate.nl/Teleglobe_bgp_comm.pdf
*** => black-hole route (host route or shorter prefix within customer’s RIR registred assignment) 64999:0
* Ielo whois AS29075 => 29075:0 Null-route/Blackhole
* https://pad.ilico.org/p/cleanup-bgp-gitoyen

h2. France-IX

* community plan : https://apps.db.ripe.net/whois/lookup/ripe/aut-num/AS51706.html
* TODO tester

h2. Equinix-IX

* community plan : https://ix.equinix.com/ixp/mlpeCommunityInfo
* TODO tester

h2. TouIX

* demande acces switch et route server 20120702
* TODO

h2. Hurricane Electric

* http://www.he.net/adm/
* http://www.he.net/adm/blackhole.html
* TODO tester

h2. Sfinx

* http://www.renater.fr/route-servers-bgp?lang=fr
* whois AS1304 =>
remarks: 1304:65281 = Apply NO-EXPORT community
remarks: 1304:65282 = Apply NO-ADVERTISE community